net-ssh 6.1.0 → 7.3.0

data/lib/net/ssh/authentication/pageant.rb

@@ -21,10 +21,9 @@ end
 
 require 'net/ssh/errors'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Authentication
-
       # This module encapsulates the implementation of a socket factory that
       # uses the PuTTY "pageant" utility to obtain information about SSH
       # identities.
@@ -33,36 +32,35 @@ module Net
       # by Guillaume Marçais (guillaume.marcais@free.fr). It is used and
       # relicensed by permission.
       module Pageant
-    
         # From Putty pageant.c
         AGENT_MAX_MSGLEN = 8192
         AGENT_COPYDATA_ID = 0x804e50ba
-    
+
         # The definition of the Windows methods and data structures used in
         # communicating with the pageant process.
         module Win # rubocop:disable Metrics/ModuleLength
           # Compatibility on initialization
           if RUBY_VERSION < "1.9"
             extend DL::Importable
-    
+
             dlload 'user32.dll'
             dlload 'kernel32.dll'
             dlload 'advapi32.dll'
-    
+
             SIZEOF_DWORD = DL.sizeof('L')
           elsif RUBY_VERSION < "2.1"
             extend DL::Importer
-            dlload 'user32.dll','kernel32.dll', 'advapi32.dll'
+            dlload 'user32.dll', 'kernel32.dll', 'advapi32.dll'
             include DL::Win32Types
-    
+
             SIZEOF_DWORD = DL::SIZEOF_LONG
           else
             extend Fiddle::Importer
-            dlload 'user32.dll','kernel32.dll', 'advapi32.dll'
+            dlload 'user32.dll', 'kernel32.dll', 'advapi32.dll'
             include Fiddle::Win32Types
             SIZEOF_DWORD = Fiddle::SIZEOF_LONG
           end
-    
+
           if RUBY_ENGINE == "jruby"
             typealias("HANDLE", "void *") # From winnt.h
             typealias("PHANDLE", "void *") # From winnt.h
@@ -76,105 +74,105 @@ module Net
           typealias("LPARAM", "long *")          # From windef.h
           typealias("PDWORD_PTR", "long *")      # From basetsd.h
           typealias("USHORT", "unsigned short")  # From windef.h
-    
+
           # From winbase.h, winnt.h
           INVALID_HANDLE_VALUE = -1
           NULL = nil
           PAGE_READWRITE = 0x0004
           FILE_MAP_WRITE = 2
           WM_COPYDATA = 74
-    
+
           SMTO_NORMAL = 0 # From winuser.h
-    
+
           SUFFIX = if RUBY_ENGINE == "jruby"
                      "A"
                    else
                      ""
                    end
-    
+
           # args: lpClassName, lpWindowName
           extern "HWND FindWindow#{SUFFIX}(LPCTSTR, LPCTSTR)"
-    
+
           # args: none
           extern 'DWORD GetCurrentThreadId()'
-    
+
           # args: hFile, (ignored), flProtect, dwMaximumSizeHigh,
           #           dwMaximumSizeLow, lpName
           extern "HANDLE CreateFileMapping#{SUFFIX}(HANDLE, void *, DWORD, " +
             "DWORD, DWORD, LPCTSTR)"
-    
+
           # args: hFileMappingObject, dwDesiredAccess, dwFileOffsetHigh,
           #           dwfileOffsetLow, dwNumberOfBytesToMap
           extern 'LPVOID MapViewOfFile(HANDLE, DWORD, DWORD, DWORD, DWORD)'
-    
+
           # args: lpBaseAddress
           extern 'BOOL UnmapViewOfFile(LPCVOID)'
-    
+
           # args: hObject
           extern 'BOOL CloseHandle(HANDLE)'
-    
+
           # args: hWnd, Msg, wParam, lParam, fuFlags, uTimeout, lpdwResult
           extern "LRESULT SendMessageTimeout#{SUFFIX}(HWND, UINT, WPARAM, LPARAM, " +
             "UINT, UINT, PDWORD_PTR)"
-    
+
           # args: none
           extern 'DWORD GetLastError()'
-    
+
           # args: none
           extern 'HANDLE GetCurrentProcess()'
-    
+
           # args: hProcessHandle, dwDesiredAccess, (out) phNewTokenHandle
           extern 'BOOL OpenProcessToken(HANDLE, DWORD, PHANDLE)'
-    
+
           # args: hTokenHandle, uTokenInformationClass,
           #           (out) lpTokenInformation, dwTokenInformationLength
           #           (out) pdwInfoReturnLength
           extern 'BOOL GetTokenInformation(HANDLE, UINT, LPVOID, DWORD, ' +
             'PDWORD)'
-    
+
           # args: (out) lpSecurityDescriptor, dwRevisionLevel
           extern 'BOOL InitializeSecurityDescriptor(LPVOID, DWORD)'
-    
+
           # args: (out) lpSecurityDescriptor, lpOwnerSid, bOwnerDefaulted
           extern 'BOOL SetSecurityDescriptorOwner(LPVOID, LPVOID, BOOL)'
-    
+
           # args: pSecurityDescriptor
           extern 'BOOL IsValidSecurityDescriptor(LPVOID)'
-    
+
           # Constants needed for security attribute retrieval.
           # Specifies the access mask corresponding to the desired access
           # rights.
           TOKEN_QUERY = 0x8
-    
+
           # The value of TOKEN_USER from the TOKEN_INFORMATION_CLASS enum.
           TOKEN_USER_INFORMATION_CLASS = 1
-    
+
           # The initial revision level assigned to the security descriptor.
           REVISION = 1
-    
+
           # Structs for security attribute functions.
           # Holds the retrieved user access token.
           TOKEN_USER = struct ['void * SID', 'DWORD ATTRIBUTES']
-    
+
           # Contains the security descriptor, this gets passed to the
           # function that constructs the shared memory map.
           SECURITY_ATTRIBUTES = struct ['DWORD nLength',
                                         'LPVOID lpSecurityDescriptor',
                                         'BOOL bInheritHandle']
-    
+
           # The security descriptor holds security information.
           SECURITY_DESCRIPTOR = struct ['UCHAR Revision', 'UCHAR Sbz1',
                                         'USHORT Control', 'LPVOID Owner',
                                         'LPVOID Group', 'LPVOID Sacl',
                                         'LPVOID Dacl']
-    
+
           # The COPYDATASTRUCT is used to send WM_COPYDATA messages
           COPYDATASTRUCT = if RUBY_ENGINE == "jruby"
                              struct ['ULONG_PTR dwData', 'DWORD cbData', 'LPVOID lpData']
                            else
                              struct ['uintptr_t dwData', 'DWORD cbData', 'LPVOID lpData']
                            end
-    
+
           # Compatibility for security attribute retrieval.
           if RUBY_VERSION < "1.9"
             # Alias functions to > 1.9 capitalization
@@ -196,15 +194,15 @@ module Net
               alias_method new_name, name
               module_function new_name
             end
-    
+
             def self.malloc_ptr(size)
               return DL.malloc(size)
             end
-    
+
             def self.get_ptr(data)
               return data.to_ptr
             end
-    
+
             def self.set_ptr_data(ptr, data)
               ptr[0] = data
             end
@@ -220,15 +218,15 @@ module Net
               attach_function :malloc, [:size_t], :pointer
               attach_function :free, [:pointer], :void
             end
-    
+
             def self.malloc_ptr(size)
               Fiddle::Pointer.new(LibC.malloc(size), size, LibC.method(:free))
             end
-    
+
             def self.get_ptr(ptr)
               return data.address
             end
-    
+
             def self.set_ptr_data(ptr, data)
               ptr.write_string_length(data, data.size)
             end
@@ -236,19 +234,19 @@ module Net
             def self.malloc_ptr(size)
               return DL::CPtr.malloc(size, DL::RUBY_FREE)
             end
-    
+
             def self.get_ptr(data)
               return DL::CPtr.to_ptr data
             end
-    
+
             def self.set_ptr_data(ptr, data)
-              DL::CPtr.new(ptr)[0,data.size] = data
+              DL::CPtr.new(ptr)[0, data.size] = data
             end
           end
-    
+
           def self.get_security_attributes_for_user
             user = get_current_user
-    
+
             psd_information = malloc_ptr(Win::SECURITY_DESCRIPTOR.size)
             raise_error_if_zero(
               Win.InitializeSecurityDescriptor(psd_information,
@@ -261,45 +259,46 @@ module Net
             raise_error_if_zero(
               Win.IsValidSecurityDescriptor(psd_information)
             )
-    
+
             sa = Win::SECURITY_ATTRIBUTES.new(to_struct_ptr(malloc_ptr(Win::SECURITY_ATTRIBUTES.size)))
             sa.nLength = Win::SECURITY_ATTRIBUTES.size
             sa.lpSecurityDescriptor = psd_information.to_i
             sa.bInheritHandle = 1
-    
+
             return sa
           end
-    
+
           if RUBY_ENGINE == "jruby"
             def self.ptr_to_s(ptr, size)
               ret = ptr.to_s(size)
               ret << "\x00" while ret.size < size
               ret
             end
-    
+
             def self.ptr_to_handle(phandle)
               phandle.ptr
             end
-    
+
             def self.ptr_to_dword(ptr)
               first = ptr.ptr.to_i
-              second = ptr_to_s(ptr,Win::SIZEOF_DWORD).unpack('L')[0]
+              second = ptr_to_s(ptr, Win::SIZEOF_DWORD).unpack('L')[0]
               raise "Error" unless first == second
+
               first
             end
-    
+
             def self.to_token_user(ptoken_information)
               TOKEN_USER.new(ptoken_information.to_ptr)
             end
-    
+
             def self.to_struct_ptr(ptr)
               ptr.to_ptr
             end
-    
+
             def self.get_sid(user)
-              ptr_to_s(user.to_ptr.ptr,Win::SIZEOF_DWORD).unpack('L')[0]
+              ptr_to_s(user.to_ptr.ptr, Win::SIZEOF_DWORD).unpack('L')[0]
             end
-    
+
             def self.get_sid_ptr(user)
               user.to_ptr.ptr
             end
@@ -307,39 +306,39 @@ module Net
             def self.get_sid(user)
               user.SID
             end
-    
+
             def self.ptr_to_handle(phandle)
               phandle.ptr.to_i
             end
-    
+
             def self.to_struct_ptr(ptr)
               ptr
             end
-    
+
             def self.ptr_to_dword(ptr)
               ptr.to_s(Win::SIZEOF_DWORD).unpack('L')[0]
             end
-    
+
             def self.to_token_user(ptoken_information)
               TOKEN_USER.new(ptoken_information)
             end
-    
+
             def self.get_sid_ptr(user)
               user.SID
             end
           end
-    
+
           def self.get_current_user
             token_handle = open_process_token(Win.GetCurrentProcess,
                                               Win::TOKEN_QUERY)
             token_user = get_token_information(token_handle,
-                            Win::TOKEN_USER_INFORMATION_CLASS)
+                                               Win::TOKEN_USER_INFORMATION_CLASS)
             return token_user
           end
-    
+
           def self.open_process_token(process_handle, desired_access)
             ptoken_handle = malloc_ptr(Win::SIZEOF_DWORD)
-    
+
             raise_error_if_zero(
               Win.OpenProcessToken(process_handle, desired_access,
                                    ptoken_handle)
@@ -347,12 +346,12 @@ module Net
             token_handle = ptr_to_handle(ptoken_handle)
             return token_handle
           end
-    
+
           def self.get_token_information(token_handle,
                                          token_information_class)
             # Hold the size of the information to be returned
             preturn_length = malloc_ptr(Win::SIZEOF_DWORD)
-    
+
             # Going to throw an INSUFFICIENT_BUFFER_ERROR, but that is ok
             # here. This is retrieving the size of the information to be
             # returned.
@@ -360,7 +359,7 @@ module Net
                                     token_information_class,
                                     Win::NULL, 0, preturn_length)
             ptoken_information = malloc_ptr(ptr_to_dword(preturn_length))
-    
+
             # This call is going to write the requested information to
             # the memory location referenced by token_information.
             raise_error_if_zero(
@@ -370,74 +369,76 @@ module Net
                                       ptoken_information.size,
                                       preturn_length)
             )
-    
+
             return to_token_user(ptoken_information)
           end
-    
+
           def self.raise_error_if_zero(result)
             if result == 0
               raise "Windows error: #{Win.GetLastError}"
             end
           end
-    
+
           # Get a null-terminated string given a string.
           def self.get_cstr(str)
             return str + "\000"
           end
         end
-    
+
         # This is the pseudo-socket implementation that mimics the interface of
         # a socket, translating each request into a Windows messaging call to
         # the pageant daemon. This allows pageant support to be implemented
         # simply by replacing the socket factory used by the Agent class.
         class Socket
           private_class_method :new
-    
+
           # The factory method for creating a new Socket instance.
           def self.open
             new
           end
-    
+
           # Create a new instance that communicates with the running pageant
           # instance. If no such instance is running, this will cause an error.
           def initialize
             @win = Win.FindWindow("Pageant", "Pageant")
-    
+
             if @win.to_i == 0
               raise Net::SSH::Exception,
-                "pageant process not running"
+                    "pageant process not running"
             end
-    
+
             @input_buffer = Net::SSH::Buffer.new
             @output_buffer = Net::SSH::Buffer.new
           end
-    
+
           # Forwards the data to #send_query, ignoring any arguments after
           # the first.
           def send(data, *args)
             @input_buffer.append(data)
-    
+
             ret = data.length
-    
+
             while true
               return ret if @input_buffer.length < 4
+
               msg_length = @input_buffer.read_long + 4
               @input_buffer.reset!
-    
+
               return ret if @input_buffer.length < msg_length
+
               msg = @input_buffer.read!(msg_length)
               @output_buffer.append(send_query(msg))
             end
           end
-    
+
           # Reads +n+ bytes from the cached result of the last query. If +n+
           # is +nil+, returns all remaining data from the last query.
           def read(n = nil)
             @output_buffer.read(n)
           end
-    
+
           def close; end
-    
+
           # Packages the given query string and sends it to the pageant
           # process via the Windows messaging subsystem. The result is
           # cached, to be returned piece-wise when #read is called.
@@ -446,29 +447,29 @@ module Net
             filemap = 0
             ptr = nil
             id = Win.malloc_ptr(Win::SIZEOF_DWORD)
-    
+
             mapname = "PageantRequest%08x" % Win.GetCurrentThreadId()
             security_attributes = Win.get_ptr Win.get_security_attributes_for_user
-    
+
             filemap = Win.CreateFileMapping(Win::INVALID_HANDLE_VALUE,
                                             security_attributes,
                                             Win::PAGE_READWRITE, 0,
                                             AGENT_MAX_MSGLEN, mapname)
-    
+
             if filemap == 0 || filemap == Win::INVALID_HANDLE_VALUE
               raise Net::SSH::Exception,
-                "Creation of file mapping failed with error: #{Win.GetLastError}"
+                    "Creation of file mapping failed with error: #{Win.GetLastError}"
             end
-    
+
             ptr = Win.MapViewOfFile(filemap, Win::FILE_MAP_WRITE, 0, 0,
                                     0)
-    
+
             if ptr.nil? || ptr.null?
               raise Net::SSH::Exception, "Mapping of file failed"
             end
-    
+
             Win.set_ptr_data(ptr, query)
-    
+
             # using struct to achieve proper alignment and field size on 64-bit platform
             cds = Win::COPYDATASTRUCT.new(Win.malloc_ptr(Win::COPYDATASTRUCT.size))
             cds.dwData = AGENT_COPYDATA_ID
@@ -476,14 +477,14 @@ module Net
             cds.lpData = Win.get_cstr(mapname)
             succ = Win.SendMessageTimeout(@win, Win::WM_COPYDATA, Win::NULL,
                                           cds.to_ptr, Win::SMTO_NORMAL, 5000, id)
-    
+
             if succ > 0
               retlen = 4 + ptr.to_s(4).unpack("N")[0]
               res = ptr.to_s(retlen)
             else
               raise Net::SSH::Exception, "Message failed with error: #{Win.GetLastError}"
             end
-    
+
             return res
           ensure
             Win.UnmapViewOfFile(ptr) unless ptr.nil? || ptr.null?
@@ -491,7 +492,6 @@ module Net
           end
         end
       end
-
     end
   end
 end

data/lib/net/ssh/authentication/pub_key_fingerprint.rb

@@ -22,17 +22,17 @@ module Net
         # returned by OpenSSH's <tt>`ssh-add -l -E SHA256`</tt>, i.e.,
         # trailing base64 padding '=' characters are stripped and the
         # literal string +SHA256:+ is prepended.
-        def fingerprint(algorithm='MD5')
+        def fingerprint(algorithm = 'MD5')
           @fingerprint ||= {}
           @fingerprint[algorithm] ||= PubKeyFingerprint.fingerprint(to_blob, algorithm)
         end
 
-        def self.fingerprint(blob, algorithm='MD5')
+        def self.fingerprint(blob, algorithm = 'MD5')
           case algorithm.to_s.upcase
           when 'MD5'
             OpenSSL::Digest.hexdigest(algorithm, blob).scan(/../).join(":")
           when 'SHA256'
-            "SHA256:#{Base64.encode64(OpenSSL::Digest.digest(algorithm, blob)).chomp.gsub(/=+\z/, '')}"
+            "SHA256:#{[OpenSSL::Digest.digest(algorithm, blob)].pack('m').chomp.gsub(/=+\z/, '')}"
           else
             raise OpenSSL::Digest::DigestError, "unsupported ssh key digest #{algorithm}"
           end

data/lib/net/ssh/authentication/session.rb

@@ -11,7 +11,6 @@ require 'net/ssh/authentication/methods/keyboard_interactive'
 module Net
   module SSH
     module Authentication
-
       # Raised if the current authentication method is not allowed
       class DisallowedMethod < Net::SSH::Exception
       end
@@ -42,7 +41,7 @@ module Net
 
         # Instantiates a new Authentication::Session object over the given
         # transport layer abstraction.
-        def initialize(transport, options={})
+        def initialize(transport, options = {})
           self.logger = transport.logger
           @transport = transport
 
@@ -55,7 +54,7 @@ module Net
         # Attempts to authenticate the given user, in preparation for the next
         # service request. Returns true if an authentication method succeeds in
         # authenticating the user, and false otherwise.
-        def authenticate(next_service, username, password=nil)
+        def authenticate(next_service, username, password = nil)
           debug { "beginning authentication of `#{username}'" }
 
           transport.send_message(transport.service_request("ssh-userauth"))
@@ -64,28 +63,30 @@ module Net
           key_manager = KeyManager.new(logger, options)
           keys.each { |key| key_manager.add(key) } unless keys.empty?
           keycerts.each { |keycert| key_manager.add_keycert(keycert) } unless keycerts.empty?
+          keycert_data.each { |data| key_manager.add_keycert_data(data) } unless keycert_data.empty?
           key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
           default_keys.each { |key| key_manager.add(key) } unless options.key?(:keys) || options.key?(:key_data)
 
           attempted = []
 
           @auth_methods.each do |name|
+            next unless @allowed_auth_methods.include?(name)
+
+            attempted << name
+
+            debug { "trying #{name}" }
             begin
-              next unless @allowed_auth_methods.include?(name)
-              attempted << name
-
-              debug { "trying #{name}" }
-              begin
-                auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
-                method = auth_class.new(self, key_manager: key_manager, password_prompt: options[:password_prompt])
-              rescue NameError
-                debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
-                next
-              end
-
-              return true if method.authenticate(next_service, username, password)
-            rescue Net::SSH::Authentication::DisallowedMethod
+              auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
+              method = auth_class.new(self,
+                                      key_manager: key_manager, password_prompt: options[:password_prompt],
+                                      pubkey_algorithms: options[:pubkey_algorithms] || nil)
+            rescue NameError
+              debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
+              next
             end
+
+            return true if method.authenticate(next_service, username, password)
+          rescue Net::SSH::Authentication::DisallowedMethod
           end
 
           error { "all authorization methods failed (tried #{attempted.join(', ')})" }
@@ -129,6 +130,7 @@ module Net
         def expect_message(type)
           message = next_message
           raise Net::SSH::Exception, "expected #{type}, got #{message.type} (#{message})" unless message.type == type
+
           message
         end
 
@@ -153,6 +155,12 @@ module Net
           Array(options[:keycerts])
         end
 
+        # Returns an array of the keycert data that should be used when
+        # attempting any key-based authentication mechanism.
+        def keycert_data
+          Array(options[:keycert_data])
+        end
+
         # Returns an array of the key data that should be used when
         # attempting any key-based authentication mechanism.
         def key_data